[DFSci] recovering outlook pst

Rob Zirnstein Rob.Zirnstein at ForensicInnovations.com
Thu Apr 7 12:35:12 PDT 2011 

Hi Marc,

 

The signatures you are seeing are for two different versions of PST files.
If you can determine which version you are looking for, you can remove the
other and filter the search results down.  I don't know if Foremost can
handle signatures with inconsistent bytes in the middle.  If not, you could
filter the results manually.

 

0x21 0x42 0x44 0x4e [] [] [] [] [] [] 0x0e = MS Outlook Personal Information
Store (97 - 2002) (32 bit, 2GB limitation)

0x21 0x42 0x44 0x4e [] [] [] [] [] [] 0x17 = MS Outlook Personal Information
Store (2003 - 2007) (64 bit)

 

I haven't seen the \x21\x42\x4e\xa5\x6f\xb5\xa6 signature.  Either it is a
typo missing the 0x44 byte or it's a variation of the file format that my
clients and I haven't seen yet.

 

Outlook 2003 and later can still use the older (32 bit) version.  So,
checking the employee's Outlook version may not be the best way to decide on
this filter.

 

Expect the PST to be fragmented, because these are typically very large
files that increase in size gradually over time.  So, tools that can't
handle fragmentation intelligently, and reject recovered files that don't
verify, should not be used.

 

Unfortunately, I don't have a solution to recommend, because my file carving
tool isn't ready for prime time yet.

 

 

Best regards,

Rob

 

Rob Zirnstein

President

Forensic Innovations, Inc.

www.ForensicInnovations.com <http://www.forensicinnovations.com/> 

Main: (317) 773-9717  Direct: (317) 430-6891

Rob.Zirnstein at ForensicInnovations.com

 

Innovations Blog <http://www.forensicinnovations.com/blog>   LinkedIn
<http://www.linkedin.com/pub/rob-zirnstein/b/a65/637>   Twitter
<http://twitter.com/RobZirnstein> 

 

-----Original Message-----
From: Marc Fisher [mailto:dfsci at ioudas.net] 
Sent: Thursday, April 07, 2011 5:14 AM
To: dfsci at lists.dfrws.org
Subject: [DFSci] recovering outlook pst

 

Hello,

I just found this list when I was looking for file carcing (foremost)

community.

I had my first file carving job yesterday when a disgrunted employee decided

to delete her whole outlook contents before leaving the company. The IT

manager was called to recover the data and said it wasn't possible, so I

decided to give it a try (I'm not IT guy by the way).

 

Outlook stores personal folders in pst file, the problem was that the file

wasn't deleted, only reduced in size (considerably).

After some research I decided that foremost was the tool for this task,

although I was quite sceptical at first that this was possible.

 

Recovering pst files has big advantage because there are tools to repair

damaged files, even extract information out of completely garbled pst files,

theoretically I could run such tool on the HDD image :D but this would be

extremelly slow(days) and could even crash the repair tool half-way. So I

basically needed foremost to identify the most interesting sectors.

 

I checked the foremost.conf and found preconfigured line for PST's. However

the header was different from what I found in pst's on my pc.

foremost.conf:

pst y 400000000 \x21\x42\x4e\xa5\x6f\xb5\xa6

 

my pst files start:

21 42 44 4e 98 af d7

 

Also I though that limiting files by extension could miss swap contents and

perhaps the space that was freed after the file was reduced. So I added one

more line to the default one:

. y 400000000 \x21\x42\x44\x4e

 

It worked well for my purpose, but the problem is that I didn't really know

what I was doing, and I'm very curious, thats why I decided to ask someone

who has a little but more experience and knowledge in this area.

 

Two biggest questions are:

1) Lets say foremost runs into the bytes 21 42 44 4e, how does it know where

to stop? I got several files in the output, some of them garbage but the

real files were of different size. Some were 10MB and some 70MB. I

understand that's what the footer is for, but I didn't set any in my conf.

2) I'm not sure yet whether I recovered the data from the space that was

freed after the file reduction or data from different PST files. Is it

possible at all in your opinion to recover data from reduced file - not from

deleted file?

 

Thank you very much for any info on this topic. Learning material is really

hard to come by on google! Perhaps not many people are hardcore enough to

really understand file carving in detail?

 

Thanks again,

Marc

More information about the DFSci mailing list